/**
 * Licensed to Apereo under one or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information regarding copyright ownership. Apereo
 * licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use
 * this file except in compliance with the License. You may obtain a copy of the License at the
 * following location:
 *
 * <p>http://www.apache.org/licenses/LICENSE-2.0
 *
 * <p>Unless required by applicable law or agreed to in writing, software distributed under the
 * License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
 * express or implied. See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apereo.portal.url;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apereo.portal.security.IPerson;
import org.apereo.portal.security.IPersonManager;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

/** Sets a custom session timeout for unauthenticated users. */
public class GuestSessionExpirationInterceptor extends HandlerInterceptorAdapter {
    private IPersonManager personManager;
    private int unauthenticatedUserSessionTimeout = 0;

    @Autowired
    public void setPersonManager(IPersonManager personManager) {
        this.personManager = personManager;
    }

    /**
     * The {@link HttpSession#setMaxInactiveInterval(int)} value to set for guest users. Defaults to
     * 0. If <= 0 no override is done.
     */
    public void setUnauthenticatedUserSessionTimeout(int unauthenticatedUserSessionTimeout) {
        this.unauthenticatedUserSessionTimeout = unauthenticatedUserSessionTimeout;
    }

    @Override
    public boolean preHandle(
            HttpServletRequest request, HttpServletResponse response, Object handler)
            throws Exception {
        if (unauthenticatedUserSessionTimeout <= 0) {
            return true;
        }

        final HttpSession session = request.getSession(false);
        if (session == null) {
            return true;
        }

        // Update the session timeout for an unauthenticated user.
        final IPerson person = personManager.getPerson(request);
        if (person != null && !person.getSecurityContext().isAuthenticated()) {
            session.setMaxInactiveInterval(unauthenticatedUserSessionTimeout);
        }

        return true;
    }
}
